CVE-2026-32013 HIGH

CVE-2026-32013: OpenClaw < 2026.2.25 - Symlink Traversal in agents.files Methods

Vendor Openclaw
Product OpenClaw
Weakness CWE-59
Published March 19, 2026
Last update March 20, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in the agents.files.get and agents.files.set methods that allows reading and writing files outside the agent workspace. Attackers can exploit symlinked allowlisted files to access arbitrary host files within gateway process permissions, potentially enabling code execution through file overwrite attacks.

Key dates

02Disclosure timeline

March 19, 2026 CVE published
March 20, 2026 Record updated